Troubleshooting mTLS issues in Security Compliance Management
Incorrect configuration of mTLS certificates when setting up Security Compliance Management to work with PE can cause agents and/or scan tasks to fail.
There are two main certificate configuration errors that cause problems:
- If the CA certificate configured for Security Compliance Management does not match the CA certificate the Puppet Enterprise certificate is signed with, then a trust store issue is returned upon setting up Puppet Enterprise or trying to run a scan.
- A hostname issue can arise if a server identity check does not pass. The
dnsName
in thesubjectAltName
of the server certificate must match the hostname Security Compliance Management is communicating with. The hostname configured in the Security Compliance Management settings page for Puppet Enterprise must match one of thednsName
entries in the Puppet Enterprise certificate.
Troubleshooting agent issues
Agents can fail if the certificate is configured incorrectly in two ways:
- The hostname could be the issue - the Security Compliance Management mTLS
certificate must have the
dnsName
with which the agent is trying to contact the Security Compliance Management server. This is relevant only if you set up the Security Compliance Management module to download the assessor from the Security Compliance Management server. The hostname the Security Compliance Management server is contacted with is the hostname in the configuredscanner_source
parameter URL. - The trust store may also be the problem if the Security Compliance Management server mTLS certificate and the client certificate are not signed by the same CA.
Troubleshooting scan task issues
Scan tasks can also fail if the certificate is configured incorrectly in two ways:
- If the hostname is incorrectly configured. The Security Compliance Management mTLS certificate must have the
dnsName
with which the agent is trying to contact the Security Compliance Management server. The hostname used is passed through by the task and can be seen in the Puppet Enterprise UI by checking the task parameters. Verify the task parameters to ensure that the hostname is correct. - If the Security Compliance Management server mTLS certificate and the client certificate are not signed by the same CA a trust store issue occurs and this too can cause the scan task to fail.
Troubleshoot mTLS from a node
You can run a simple cURL command to troubleshoot mTLS issues from a node.
To troubleshoot mTLS from a node:
- SSH into a node and change to the SSL subdirectory:
cd /etc/puppetlabs/puppet/ssl/
- Issue the following cURL command replacing values in angle brackets with values
relevant to your installation:
curl -G --key private_keys/<local host key> --cacert certs/ca.pem --cert ../certs/<local host cert> https://<comply-fqdn>:30303/assessor --output /tmp/assessor.zip
If you are using your own ingress, issue the following command:curl -G --key private_keys/<local host key> --cacert certs/ca.pem --cert ../certs/<local host cert> https://<PE hostname>/assessor --output /tmp/assessor.zip
If this command fails, there is an issue with certificates. The error message can help to identify if there is a CA, client certificate or hostname issue.
- If there is a hostname error, the output resembles the following error
message:
curl: (60) SSL: no alternative certificate subject name matches target host name '<scm-fqdn>'
- If it is a CA issue, the output is likely to be similar to the example
below:
curl: (60) SSL certificate problem: unable to get local issuer certificate
This may be because the CA of thehttps://<scm-fqdn>:30303/assessor
(orhttps://<PE TLS hostname>/assessor
) does not match the CA passed to the cURL command or because there is a mismatch with the CA of the client certificate.
- If there is a hostname error, the output resembles the following error
message: